The NorduGrid Certification Authority provides X.509 certificates for identification and authentication purposes for people associated with a research and/or academic institution in the Nordic countries specifically Denmark, Finland, Norway and Sweden. The NorduGrid Certification Authority is recognized and trusted by a growing list of other scientific Certification Authorities in the world. In particular it is a member of the EUGridPMA.
Certificates are needed to authenticate people and machines on the Grid. You can find useful information about X.509 certificates in our Certificate mini howto.
Obtaining a certificate
User and host certificates can be acquired by sending a certificate request to email@example.com. A certificate request can be generated using the grid-cert-request command as specified below. Before requesting the certificate, you should make sure that the
package is installed on the cluster. Your system-administrator can confirm this if you are in doubt. If not, the package can be downloaded from the NorduGrid Downloads area. Note that this package is already included in the NorduGrid standalone client.
Now to generate a user-certificate-request, run the command
and answer the questions as they appear. Please note that some of the fields are not supposed to be changed. Before sending the generated certificate request, verify that the subject of your certificate request has the form:
/O=Grid/O=NorduGrid/OU=<your organization>/CN=<your name>/Email=<your email>
and does not contain non-ASCII characters (e.g., national accented letters in Unicode, non-latin letters etc). If these criteria are not satisfied, please rerun the grid-cert-request command. Note: you cannot use grid-cert-request by itself to generate a certificate request. You have to use the command above.
To generate a host-certificate-request, run:
grid-cert-request -host <FQDN of my host>
and to generate a ldap certificate request, run:
grid-cert-request -service ldap -host <FQDN of my host>
When generating a host- or ldap-certificate request, remember to NOT use the -int flag.
The certificate requests should be sent to the appropriate RA (see next section). If in doubt send the request to: firstname.lastname@example.org.
In order to do identity checking you must send your certificate request to a valid registration authority (RA). Pick an appropriate RA from the this page. If in doubt, send the request directly to the CA: email@example.com.
According to the NorduGrid CA policy, certificates cannot be renewed. You must submit a new certificate request as described above.
The NorduGrid CA public certificate
If you wish to interact with NorduGrid resources, you need to
install the NorduGrid CAs public certificate and various other files.
The easiest way to install these is to install the
Note that the NorduGrid standalone client already contains the NorduGrid CA public certificate as well as public certificates for some of the major scientific certificate authorities in the world.
To install it into your browser simply click here.
For a manual installation you need to get the files 1f0e8352.0 and 1f0e8352.signing_policy and follow the Globus installation instructions. An up to date revocation list can be found here 1f0e8352.r0.
If you have any problems email firstname.lastname@example.org
Sometimes user or host certificates needs to be invalidated before the end
of their lifetime. This is called revocation and happens most often
if the private key corresponding to the certificate has been compromised.
Sites that accepts
certificates signed by the NorduGrid CA should install an updated copy of the
the list of revocated certificates -- the so-called CRL-file
CRL file is maintained by the CA and a new version should periodically
be downloaded and placed in
If the CRL is installed, authentication will fail once it has expired and a new one needs to be downloaded and installed. Site-administrators can use the following command to check their NorduGrid CRL file:
openssl crl -in /etc/grid-security/certificates/1f0e8352.r0 -text
The default lifetime of the CRL is 30 days. To get automatic updates of the
certificate revocation list, you can install the certificate-utility
package provided by the NorduGrid project
downloadable from the NorduGrid Downloads area. This package will make sure that the certificate revocation list is updated four times a day and the CRL files of the trusted CAs are placed in the default directory given above.
Certificate Policy and Certification Practice Statement
The NorduGrid X.509 CA Certificate Policy and Certification Practice Statement. The document is structured according to RFC 2527.